Home / malware Win32.Worm.Gimmiv.B
First posted on 21 November 2011.
Source: BitDefenderAliases :
There are no other names known for Win32.Worm.Gimmiv.B.
Explanation :
The malware detected as Win32.Worm.Gimmiv.A drops in %system32%wbem the following files: basesvc.dll, winbase.dll, syicon.dll.
The winbase.dll file is then registered as a service, and, after it's started up, it loads basesvc.dll and syicon.dll into the memory.
After loading the mentioned DLLs, the worm starts collecting information from the infected system, such as the user name and password, the locally installed antivirus products and usernames and passwords from Outlook Express and MSN Messenger.
Basesvc.dll is then using the MS08-067 exploit, a vulnerability of a Server service on Windows, and through various RPC requests attempts to replicate the worm onto the network machines.
It uses the srvsvc pipe as an RPC interface, registered with the UUID: 4b324fc8-1670-01d3-1278-5a47bf6ee188 for remote code execution in order to be able to propagate and execute onto every vulnerable system.
The most affected systems are those that run Windows 2000, Win XP, and Windows Server 2003 as operating systems, with the firewall disabled or with exceptions on the firewall for File and printer sharing.Last update 21 November 2011
